Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Darktrace Model Breach

Darktrace Model Breach

Back
Ida3c7b8ed-56a9-47b7-98e5-2555c16e17c9
RulenameDarktrace Model Breach
DescriptionThis rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.
SeverityMedium
Required data connectorsDarktraceRESTConnector
KindNRT
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml
Version1.1.0
Arm templatea3c7b8ed-56a9-47b7-98e5-2555c16e17c9.json
Deploy To Azure
darktrace_model_alerts_CL 
| where dtProduct_s =="Policy Breach"
| project-rename EventSeverity=score_d, EventStartTime=breachTime_s, NetworkRuleName=modelName_s, NetworkRuleNumber=pid_d, ThreatId=threatID_d, ThreatCategory=dtProduct_s, SrcIpAddr=SourceIP, SrcHostname=hostname_s, SrcMacAddr=sourceMac_s, SrcPortNumber=sourcePort_s, DstIpAddr=destIP_s, DstPortNumber=destPort_s, DstHostname=destHost_s, DstMacAddr=destMac_s, DtCompliance=compliance_b, DtClientSensor=cSensor_b, DtDescription=description_s, DtAntigena=antigena_b, DtDeviceID=deviceId_d, DtSubnetID=sid_d, DtTags=tags_s, DtMitreTechniques=mitreTechniques_s, DtMessage=Message, DtUUID=uuid_g, DtBreachURL=breachUrl_s, DtSrcTypeLabel=typeLabel_s, DtTriggeredComponents=triggeredComponents_s, DtDetails=details_s, DtLongitude=longitude_d, DtLatitude=latitude_d, DtCategory=Category
| extend EventCount=1, EventType="NetworkSession", EventSchema="NetworkSession", EventSchemaVersion="0.2.2", EventResult="Success", DvcAction = "Allow", EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", EventEndTime=EventStartTime, ThreatName=NetworkRuleName, ThreatRiskLevel=EventSeverity
| extend DtSentinelCategory = case(DtCategory == "Suspicious", "Medium", 
                                  DtCategory == "Critical", "High",
                                  "Informational") 

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml
queryPeriod: 5m
description: |
    'This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.'
triggerThreshold: 0
name: Darktrace Model Breach
triggerOperator: gt
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SrcHostname
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DstHostname
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: DstIpAddr
kind: NRT
requiredDataConnectors:
- connectorId: DarktraceRESTConnector
  dataTypes:
  - darktrace_model_alerts_CL
customDetails:
  DtDeviceID: DtDeviceID
  SrcMacAddr: SrcMacAddr
  DtDescription: DtDescription
  SrcPortNumber: SrcPortNumber
  NetworkRuleName: NetworkRuleName
  EventStartTime: EventStartTime
  EventSeverity: EventSeverity
  DstMacAddr: DstMacAddr
  NetworkRuleNumber: NetworkRuleNumber
  DtSentinelCategory: DtSentinelCategory
  ThreatId: ThreatId
  DstPortNumber: DstPortNumber
  DtCategory: DtCategory
  DtCompliance: DtCompliance
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 5m
tactics: 
id: a3c7b8ed-56a9-47b7-98e5-2555c16e17c9
version: 1.1.0
query: |
  darktrace_model_alerts_CL 
  | where dtProduct_s =="Policy Breach"
  | project-rename EventSeverity=score_d, EventStartTime=breachTime_s, NetworkRuleName=modelName_s, NetworkRuleNumber=pid_d, ThreatId=threatID_d, ThreatCategory=dtProduct_s, SrcIpAddr=SourceIP, SrcHostname=hostname_s, SrcMacAddr=sourceMac_s, SrcPortNumber=sourcePort_s, DstIpAddr=destIP_s, DstPortNumber=destPort_s, DstHostname=destHost_s, DstMacAddr=destMac_s, DtCompliance=compliance_b, DtClientSensor=cSensor_b, DtDescription=description_s, DtAntigena=antigena_b, DtDeviceID=deviceId_d, DtSubnetID=sid_d, DtTags=tags_s, DtMitreTechniques=mitreTechniques_s, DtMessage=Message, DtUUID=uuid_g, DtBreachURL=breachUrl_s, DtSrcTypeLabel=typeLabel_s, DtTriggeredComponents=triggeredComponents_s, DtDetails=details_s, DtLongitude=longitude_d, DtLatitude=latitude_d, DtCategory=Category
  | extend EventCount=1, EventType="NetworkSession", EventSchema="NetworkSession", EventSchemaVersion="0.2.2", EventResult="Success", DvcAction = "Allow", EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", EventEndTime=EventStartTime, ThreatName=NetworkRuleName, ThreatRiskLevel=EventSeverity
  | extend DtSentinelCategory = case(DtCategory == "Suspicious", "Medium", 
                                    DtCategory == "Critical", "High",
                                    "Informational")   
alertDetailsOverride:
  alertTacticsColumnName: 
  alertSeverityColumnName: 
  alertDisplayNameFormat: 'Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}'
  alertDescriptionFormat: '{{DtMessage}}'
  alertDynamicProperties:
  - alertProperty: AlertLink
    value: DtBreachURL
  - alertProperty: ProviderName
    value: EventVendor
  - alertProperty: ProductName
    value: EventProduct
  - alertProperty: ProductComponentName
    value: ThreatCategory
  - alertProperty: Severity
    value: DtSentinelCategory
severity: Medium
relevantTechniques: